Trojan-Spy:W32/ZBot.HS

Details

Summary

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008 and targets the online
banking portal Finnish bank; the spam e-mail messages used to distribute its executably
binary file are written in Finnish. Later samples received on April 04, 2008 are
now detected as Trojan-Spy:W32/Zbot.KZ. New download filename is iPIX-install.exe.
Also, please contact your bank and confirm your online banking transactions if infection
is confirmed.

Distribution

Several Finnish language spam messages were used to direct recipients to various
websites.The websites supposedly contain a images that require an iPIX plug-in.The
download link for the "plug-in" in fact downloads the ZBot file.

A sample message is below:

The message warns of a radioactive cloud spreading from a nuclear reactor close to
the Finnish city of Mikkeli. The end of the message provides a link to a supposed
blog with pictures of the event and of victims.

It is an attempt at social engineering. However, as there is no nuclear power plant
near Mikkeli, many recipients report that they were not tempted by the message.

This is an example of the website:

An icon for a needed plug-in is displayed rather than images when viewing the site.

The message below the image area contains the link from which the malware is downloaded:

There are several versions of bait used by the spam messages.

One message claims to be from a woman seeking love. The message directs to a Web site
such as this:

The website designs have been used in the past. There are previous examples of German
language versions targeting individuals in Switzerland.

ZBot variants use modular components (configuration and commands) downloaded from
the Internet after installation. The components are encrypted, probably to hinder
analysis of the code.

Installation

Upon execution the trojan copies itself to the following location:

%windir%\system32\ntos.exe

Note: %windir% represents the system's default Windows directory. The folder name
may vary by language localization.

It then creates the following folder under the Windows system directory:

wsnpoem

ZBot.HS attempts to hide this folder using stealth techniques.

It creates the following files in the newly created folder:

audio.dll

video.dll

These files are written with encrypted data.

The trojan modifies the following registry entry to enable its automatic execution
upon Windows startup: